Hackers' next target: Your eyeballs

@CNNMoneyTech July 26, 2012: 12:24 PM ET
Iris scanners aren't as hack-proof as we thought they were.

Iris scanners aren't as hack-proof as we thought they were.

LAS VEGAS (CNNMoney) -- We know that cybercriminals are attacking our networks and computers every day, but the next thing they come hunting for might be your eyes.

Some passwords for critical systems are gradually being replaced with biometric identifiers like fingerprints and iris scans, which supposedly offer a safer way to log in. Biometric information can't be stolen in a phishing attack, for instance, because the markers are unique (and physically attached) to each user. It's a foolproof system, right?

Ha.

It turns out that fingerprints and iris scans can be hacked just like a password, with a clever bit of reverse-engineering.

When biometric data is entered into a computer, the system doesn't store the actual fingerprint or iris scan. It records a digital template that serves as a trimmed-down representation of the biometric information. When a user goes to log in, his or her characteristics are matched against those templates, and the match is given a similarity score. If it's high enough, the user is let inside.

Last year, researchers at the University of Bologna in Italy were able to reconstruct a fingerprint from the digital template stored in a computer. They were so successful that they were able to build gummy finger versions of the prints that could be pressed up against a reader and used to fool the computer into letting them into someone else's account.

Iris scans shouldn't be susceptible to reverse-engineering, because the human iris is far more complex than a fingerprint and offers extremely low false positives in a scan. It's possible that your fingerprint comes close enough to matching mine, but the chances that your iris could be confused for someone else's are incredibly slim.

Yet new research shows that building an eyeball from a digital iris template is just as plausible as creating a fingerprint from a template.

At the Black Hat cybersecurity conference in Las Vegas on Wednesday, Javier Galbally, a researcher at the Universidad Autonoma of Madrid, Spain, showed how his team did it.

Iris scanners take an image of the eye, stretch the iris out into a rectangle, and then create a template of 0s and 1s called an "iriscode." In image form, it resembles a series of black and white pixels in a long, narrow rectangle. It looks nothing like an actual iris.

But don't tell that to an iris scanning system. By making an image out of the stored iriscode, stretching it into a circle, and feeding it back into the system, Galbally's team was able to get into the system with an 87% success rate.

The iris scanner didn't even care that the background was completely white, with no eyelid surrounding the reconstructed image. In other words, the scanner didn't look to check that the image it was looking at was really a human eye. That's a huge vulnerability, Galbally said, and one that iris scanning systems should fix.

The growing popularity of biometric scanners have raised concerns that bad guys are going to start gruesomely chopping off fingers and cutting out eyeballs to break into critical systems. (Hey, it worked in Demolition Man.)

It turns out they don't need the original sample at all -- just some hacking skills and a printer. To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.